Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Ring Doorbell App for Android Sends Out Loads of User Data

The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.

The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.

The Ring app, the EFF says, sends user data to four main analytics and marketing companies, namely branch.io, mixpanel.com, appsflyer.com and facebook.com. Siphoned data includes names, IP addresses, network carriers, persistent identifiers, and sensor data.

Facebook is alerted when the app is opened, as well as when it is deactivated after the screen is locked, via the Graph API. Furthermore, data is sent to the social platform even if the user does not have an account, the EFF has discovered.

Information sent to Facebook includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id). This identifier would persists even when the OS-level advertiser ID is reset.

To ‘deep’ linking platform Branch, Ring sends several unique identifiers (device_fingerprint_id, hardware_id, identity_id), along with the device’s local IP address, model, screen resolution, and DPI.

Information that big data company AppsFlyer is provided upon app launch includes mobile carrier, Ring installation date, unique identifiers, whether AppsFlyer tracking came preinstalled on the device, installed sensors (magnetometer, gyroscope, and accelerometer) and current calibration settings.

Business analytics service MixPanel receives the most information: “users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in,” the EFF explains.

While MixPanel is mentioned in Ring’s list of third party services, none of the other trackers is. The extent of the data collection is not revealed either.

Advertisement. Scroll to continue reading.

Google-owned crash logging service Crashalytics also receives information from Ring, but the EFF has yet to determine the exact extent of data sharing.

The app uses encrypted HTTPS to send the data in such a manner that eludes analysis, the foundation says.

The amount of data shared with third-parties, EFF notes, is alarming, as it allows these companies to easily track users across applications.

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” EFF concludes.

Following security and privacy-related complaints, Amazon-owned Ring announced earlier this month that its iOS and Android applications will soon include a new Control Center from where users can manage privacy and security features and settings. The Control Center makes it easier for users to enable two-factor authentication, see who is logged into an account and log them out, review third-party service connections, and prevent local police departments from accessing footage from Ring cameras.

Related: Google Says it Will Phase Out Web-Tracking ‘Cookies’

Related: Users Need to Consent to Online Tracking Cookies: EU Court

Related: European Government Websites Are Delivering Tracking Cookies to Visitors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.